package com.jiayuge.server.config.security.component;

import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component;

import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;

/**
 * 功能: 判断用户角色是否有权限访问当前url
 * 权限控制
 *
 * @Program: yeb
 * @Date: 2021-11-19 09:35
 * @Author Jiayu.Yang
 */
@Component
public class CustomUrlDecisionManager implements AccessDecisionManager {

    @Override
    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {

        //过滤出能够访问url的角色
        List<String> urlNeedRole = configAttributes.stream().map(configAttribute -> configAttribute.getAttribute()).collect(Collectors.toList());
        //
        if (urlNeedRole.contains("ROLE_LOGIN")) {
            if (authentication instanceof AnonymousAuthenticationToken) {
                throw new AccessDeniedException("尚未登陆，请登录");
            }
            return;
        }
        Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
        //过滤出当前登录用户具备的角色
        List<String> userHaveRole = authorities.stream().map(authoritie -> authoritie.getAuthority()).collect(Collectors.toList());
        //求交集（结果放在调用者中）
        urlNeedRole.retainAll(userHaveRole);
        //如果有交集，说明可以访问 返回即可
        if (urlNeedRole.size()!=0) {
            return;
        }

//        for (ConfigAttribute configAttribute : configAttributes) {
//            //获取能够访问当前url的角色
//            String urlNeedRole = configAttribute.getAttribute();
//            //判断url是否登录即可访问 此角色CustomUrlRoleFilter配置类中设置
//            if (urlNeedRole.equals("ROLE_LOGIN")){
//                //判断是否登录 没有登录抛出异常
//                if (authentication instanceof AnonymousAuthenticationToken){
//                    throw new AccessDeniedException("尚未登陆，请登录");
//                }
//                return;
//            }
//            //获取当前登录用户的角色
//            Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
//            //获取当前登录用户的角色 判断是否有保函访问Url所需的角色
//            for (GrantedAuthority authority : authorities) {
//                if (authority.getAuthority().equals(urlNeedRole)){
//                    return;
//                }
//            }
//        }

//        //如果能够执行到这一步，说明上面的没有匹配上 也就说明没有权限管理
        throw new AccessDeniedException("权限不足，请联系管理员");
    }

    @Override
    public boolean supports(ConfigAttribute configAttribute) {
        return false;
    }

    @Override
    public boolean supports(Class<?> aClass) {
        return false;
    }
}
